Internet Network Security Blog

Sales of 10 gigabit per second (Gbps) Ethernet Switches are expected to reach $13 billion by 2016 and will constitute nearly half of a total $28 billion Ethernet Switch market by then, a forecast from the research firm Dell'Oro Group states. And even as data center operators upgrade from 1 Gigabit Ethernet (GbE) Switches to 10GbE in order to handle exponentially larger volumes of network data traffic, sales of even faster 40GbE and 100GbE switches will also be picking up as well.

By 2016 sales of 40 and 100GbE products will amount to $3 billion, Dell'Oro said in its five-year forecast for the Ethernet Switch market. The company, which is focused exclusively on networking and telecommunications equipment market research, expects the strongest growth in 10GbE Ethernet in 2013 and 2014 as enterprise data centers invest in the technology for server access through a mix of connectivity options for blade and rack-mounted servers.

Growth in 10GbE deployments will be driven by continued adoption of virtualization, meaning servers will be running at higher utilization rates than do non-virtualized servers, said Alan Weckel, senior director at Dell'Oro Group. Another driver is expected to be the expected server refresh cycle prompted by the release of Intel's new Romley microprocessor platform, which will provide the faster server throughput that is needed for virtualization.

"Romley comes out in the first half of 2012, so 2012 is going to be the time that enterprises go through qualification tests of the new servers and new switches. The hockey stick up is [in] 2013," Weckel said.

Vendors in this burgeoning market include Alcatel-Lucent, Avaya, Brocade, Cisco Systems, Extreme Networks, Dell, HP, IBM, and Juniper Networks, but Weckel declined to say which specific vendors Dell'Oro thinks will benefit more from 10GbE sales than others.

Vendors are seeing the same pick-up that Dell'Oro sees.

"This is the year of 10 gig," said Arpit Joshipura, chief marketing officer for Force 10 Networks, which was acquired by Dell in August 2011. "All of a sudden, this year we will see a lot more 10 gigabit deployments and it's already starting to happen in our customer base."

Joshipura, who came to Dell from Force 10, said Force 10 developed the first 10GbE switches about 10 years ago and would have hoped the technology would have caught on sooner but is nonetheless happy that sales are picking up. However, while the rate of growth of 10GbE switch sales is strong, Dell still sells far more 1GbE switches than 10GbE ones. Based on unit sales, he estimated 90 percent of sales are of the previous generation 1GbE products.

Likewise, Cisco Systems sees strong growth in the 10GbE market and crossed the 10 million unit sales mark in December 2011, said Shashi Kiran, senior director of data center and enterprise networking at Cisco.

Kiran said Cisco currently enjoys a 76 percent share of the 10GbE market and that, although the majority of their sales are also still of 1GbE products, the growth rate for 10GbE is higher. He also said that as more 10GbE switches are deployed, Cisco is acting proactively to see what other points on a network may appear as "choke points" for the faster 10GbE traffic.

Kiran also said unit sales of 10GbE products are driven by declining prices, which makes it easier for customers to justify purchasing 10GbE to replace 1GbE on their networks.

Dell'Oro's Weckel provided some specifics: Across all vendors, the average selling price of a 10GbE product was $388 per port in 2011, down from $818 per port in 2008.

Learn more about IT PRO Report: Data Center Networking by subscribing to Network Computing Pro Reports (free, registration required).

Network equipment vendor Enterasys is tackling the growing problem of managing wired and wireless devices with the latest addition to its suite of fabric network management technology, the OneFabric Edge Architecture. The combined wired-wireless management fabric relieves a number of network management headaches, especially in situations where the wired network is often managed by one vendor and the wireless network by another, says the company.

"Wired is a pain in the butt now," said Craig Mathias, a principal analyst at Farpoint Group. With wireless devices ubiquitous in the workplace, he wonders why anyone would use a wired network.

For now, though, wired and wireless networks have to work together and need to be merged. "The idea of thinking of the network as a single unified entity ... is one of the key emerging themes that I think you're going to see a lot of emphasis on over the next couple of years," Mathias said.

The OneFabric Edge features an end-to-end integration of the wireless local area network (WLAN) and the wired infrastructure and integrates Enterasys' security and management features with application-aware capabilities that aid compliance and service level agreements (SLAs). The product introduces what Enterasys calls the Wireless Services Engine (WiSE), a WLAN controller for application services, which the company said gives customers greater flexibility for deploying edge access in virtual, physical and cloud environments.

Lastly, the OneFabric Edge introduces the K-Series modular switch, which provides visibility into network traffic to determine location, identification, and overall management capabilities of the converged wired and wireless network. Enterasys says the K-Series switch helps manage environments in which employees bring their own wireless devices into work to run on the corporate network.

Both the Enterasys data center fabric and edge fabric systems are jointly managed by the OneFabric Control Center management console.

While applauding Enterasys' innovation, Mathias said it faces considerable competition in the data center fabric space from companies such as Cisco Systems, Juniper Networks, Brocade and others -- as well as in the edge network space.Although network and edge fabric technology from those and other vendors is catching on, a recent survey of the people who buy networking equipment showed some caution about embracing new technology too soon. Information Week analytics released a survey earlier this month that showed that IT buyers favored products built to industry standards over those with the latest innovation, including network fabrics.

The report noted "a general wariness of proprietary features, where many cutting-edge capabilities are in flux--either the standards aren't complete or are yet to be widely adopted."

Those kinds of reservations are warranted, but Enterasy says its approach to fabric computing is different from that of competitors, noting that it uses an open architecture based on networking standards and that its fabric offerings are compatible with other vendors' legacy systems, something fabric competitors can't always say.

The difference between Enterasys and competitors is also based on different definitions of the term "fabric," added Mark Townsend, director of solutions architecture for Enterasys. Enterasys endorses the research firm Gartner's definition of a network fabric as "taking a collection of resources, such as a network, and to unify those under a single control plane to deliver an application," he said.

Other vendors define fabric in terms of a "topology," he added, referring to the multi-path connections between switches and routers designed to make networks run faster, more efficiently and to be flatter.

"If you look at our competition, they are looking at fabric as a topology and the topologies that they are talking about are based on proprietary protocols," Townsend said.

While buyers may be wary of fabric technology, this happens all the time when new technology is introduced, particularly in networking, said Mathias. "There's always a degree of risk when you shift from the old modes of thought to the new modes of thought," he said, adding that vendors need to better educate prospective customers to overcome their reservations.

Learn more about Optimize Your Mobile Infrastructure by subscribing to Network Computing Pro Reports (free, registration required).

Intel, which played a key role in the creation of the InfiniBand high-speed networking standard a decade ago, has come full circle and bought the IB assets of Qlogic, one of the two remaining companies still actively pushing this technology. While $125 million is chump change for a company that netted $3.4 billion in profits last quarter, Intel says the acquisition will enhance its networking portfolio and provide scalable high-performance computing (HPC) fabric technology as well as support the company's vision of innovating on fabric architectures to achieve ExaFLOP/s performance by 2018. At a hundred times faster than today's fastest supercomputers, it's an aggressive move, seeking to accelerate performance to a quintillion computer operations per second.

The InfiniBand specification defines a low-latency, high-bandwidth input/output architecture used to interconnect servers, communications infrastructure equipment, storage and embedded systems. It is a true fabric architecture that leverages switched, point-to-point channels with data transfers today at up to 120 gigabits per second, both in chassis backplane applications as well as through external copper and optical fiber connections.

Last year the InfiniBand Trade Association reported the technology is seeing continued growth on the TOP500 list of supercomputing sites. InfiniBand connects the majority of the top 100 with 61 percent, the top 200 with 58 percent and the top 300 with 51 percent. The total number of InfiniBand-connected CPU cores on the TOP500 list has grown 65 percent, from 1.4 million in Nov. 2009 to 2.3 million in Nov. 2010.

IDC says the HPC market was worth $19 billion in 2010, up 10 percent, and expected to see 7 percent growth through 2015. While Ethernet remains the leader, the research company predicts InfiniBand will continue to take market share from proprietary interconnects.

Supercomputing is the key to the deal, says Intel. While the percentage of HPC CPU shipments will drop from 15 percent to 12 percent between 2010-2015, it still represents a sizable chunk of the total market. However, next year the top 100 supercomputing CPU (total addressable market) will reach 1 million units, double in 2015, and reach 8 million units by 2019.

Intel says InfiniBand was seen as the missing piece to developing a scalable fabric by 2018. The acquisition also rounds out the company's Ethernet portfolio, it says. HPC is one of thetwo key pillars of growth within Intel's data center business, along with cloud.

The other company remaining in the IB market is Mellanox Technologies), which along with Qlogic, has been an Intel partner. Oracle uses InfiniBand technology in its database appliances and bought a 10.2 percent share of Mellanox in late 2010.

The Qlogic deal, which is is expected to close this quarter, involves the product lines of and certain assets related to its InfiniBand business. A significant number of the employees associated with this business are expected to join Intel's network and communications unit.

Learn more about OpenFlow vs Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

Arguing that multiple point appliances intended to secure a network only add to complexity without providing the intended protection, F5 Networks is introducing what it calls a Data Center Firewall to combine multiple security solutions into one appliance. The appliance, called BIG-IP model 11050 and carrying a starting price of $129,995, delivers such security features as dynamic threat defense, DDoS protection, protocol security, SSL termination and a network firewall.

"The current environment just doesn't scale, it doesn't extend and it doesn't respond. We think this model is broken and it's very, very real in our customer base today," said Mark Vondemkamp, director of product management for F5.

ICSA Labs, an industry accreditation body for network firewall solution, certified the F5 BIG-IP product family as a secure socket layer (SSL), transport layer security (TLS) and virtual private network (VPN) compliant appliance line.

The appliance is designed to respond to some of the latest types of attacks on networks, Vondemkamp said, such as dedicated denial of service (DDoS) attacks where web sites are pinged millions of times to bring them down. Lately this has been done for political reasons such as the attacks on sites targeted in the wake of the WikiLeaks document dumps of U.S. State Department cables in 2011.

F5 has also seen a rise in the number of blended threats on the Internet, combining a DDoS attack with an application-level attack. Lastly, the BIG-IP appliance protects against zero day attacks, in which a vulnerability in a software program, such as Microsoft or Adobe, is discovered before a patch for it can be developed and deployed.

The array of point solutions to address these threats -- network firewalls, DDoS appliances, domain name server (DNS) appliances, web application firewalls and load balancers -- are difficult to manage, can be a drag on network performance, and can result in multiple points of failure, said Vandemkamp.

"The traditional approach needs to be replaced by a unified security architecture," he said.

F5, in the leaders quadrant in the Gartner research "Magic Quadrant" analysis of SSL and VPN security vendors, released in December 2011, shares top spot with Cisco Systems and Juniper Networks, while competitor Citrix Systems is identified as a viable "challenger."

However, in its analysis of vendors, Gartner faults F5 for lacking an Internet Protocol Security (IPsec) capability in its products. IPsec is a protocol for securing IP communications by authenticating and encrypting each IP packet in a communications session."F5 faces an uphill contest with vendors that offer both SSL and IPsec, and should reconsider whether to build or acquire client-based IPsec support," Gartner reported.

That aside, the F5 approach of combining different point solutions into one powerful data center firewall is a viable approach, said Jeff Wilson, a principal security analyst at Infonetics research.

Even though the typical enterprise data center may not be as much of a target of a malicious DDoS attack as would a financial institution or a government agency, data centers are still high-value assets that need enhanced protection for today's threats, Wilson said.

"Since data centers typically process a lot of traffic, have high bandwidth connections and have a lot of high-capacity gear, when attacks are aimed at them they tend to be very fast attacks, but the typical firewall isn't designed to handle a DDoS attack," he said. "The scale of the attacks is really what's at issue in a data center."

F5 compared its BIG-IP 11050 to the Juniper SRX 3400 on throughput, connections per second and the number of concurrent connections it can support. Wilson says that's because Juniper has a significant foothold in the data center and, like F5 and other network security vendors, is trying to expand its presence in those data centers. He identified HP's Tipping Point and CheckPoint as among other vendors going up against F5.

Learn more about Data Encryption by subscribing to Network Computing Pro Reports (free, registration required).

Migration to Windows 8 won't be a shoo-in, with a number of issues remaining to be addressed before Microsoft can expect the majority of its users to migrate to the new version of the operating system. A new survey from Information Week Analytics, Research: Windows 8, finds that the migration strategy appears to be predicated upon people migrating from Windows 7 to Windows 8, when it has already been clear that a significant minority of existing users are still running Windows XP – which demonstrates the sort of problem that Microsoft is facing. The new OS is scheduled to come out in beta in February and for final shipment in the second half of the year.

According to the survey of 973 business technology professionals, 90 percent of them still have Windows XP, and 81 percent of them have Windows 7. Just over half, 52 percent, plan to upgrade, while 48 percent will not. Of those planning to upgrade, 82 percent will be upgrading from Windows 7 and 54 percent will be upgrading from Windows XP. Half plan to stay with Windows XP, while 30 percent plan to stick with Windows XP. And even those who do plan to upgrade, 28 percent, the largest percentage, have not yet established a timetable for when they will be upgrading. Moreover, 21 percent said they do not plan to deploy Windows 8 on mobile devices.

Issues cited by the survey respondents included having to redesign applications in order to support the new Metro tile-based touch user interface, the requirement for touch devices and monitors to take advantage of the new interface, Windows 8 compatibility among different browsers, and the requirement to develop back-end systems that can service a variety of devices.

Barriers to upgrades cited by respondents include other IT projects with higher priorities, compatibility issues, testing requirements, a lack of business drivers or ROI, training requirements, lack of staff, lack of money, and the fact that they're still in the process of migrating to Windows 7.

Another survey, Information Week's 2012 forecast found the prospects are good for Windows 8 Server, and not so bright for Win Mobile. At the end of 2011, 63 percent of respondents said they'll run Windows 8 on at least 50 percent of their servers. Only 30 percent of respondents say they'll run the phone/tablet version on that fraction of these devices, which was considered surprisingly high.

Migrating from Windows 7 to Windows 8 is supposed to be seamless, but migrating from Windows XP to Windows 8 will be another issue, since like the migration to Windows 7, it will require a clean install. "Essentially, you have to save your data, do the install, and migrate your data in," says analyst Roger Kay, owner of Endpoint Technologies Associates Inc. Moreover, Windows XP users may find they need more memory or processing power to support Windows 8.

"If a system is more than two or three years old, it might not have the processing power to make Windows 8 work correctly," says Charles King, principal analyst for Pund-IT Inc.

However, users who migrate from Windows 7 may see improvements, says Rob Enderle, principal analyst for the Enderle Group. While Windows 8 has the same memory requirements as Windows 7, it is less resource intensive. "The cheapest systems that run Windows 7 or Vista should be as fast or faster with Windows 8," he says. Systems should have at least 2 gigabytes of memory, though Kay suggests that 4 gigabytes would be better.

Learn more about Research: Windows 8 by subscribing to Network Computing Pro Reports (free, registration required).

IBM and NEC are collaborating on high-performance OpenFlow deployments. OpenFlow, developed at Stanford University, has enjoyed acceptance in university networks because an OpenFlow network can run alongside the campus production network without impacting it. In 2011, OpenFlow broke out of its education niche into the mainstream with announcements from Big Switch, Fulcrum and NEC. IBM's and NEC's announcement is a proof point that OpenFlow has a role in enterprise IT and can be used in high-performance applications.

There are a number of myths surrounding OpenFlow, including that there is a delay on the first packet of a flow to perform a lookup and that the controller is a single point of failure. Both are easily addressed through sound management practices. In fact, the upsides of using OpenFlow--such as simplified traffic management, policy-based networking that creates paths through the network based on higher-level decisions than the destination address, and software-defined networking where there is tight integration between applications and network configuration--can far outweigh any downsides. The IBM and NEC announcement describes how enterprises are overcoming these obstacles in OpenFlow on their production networks

One customer of the combined IBM and NEC products is Selerity which provides financial information from primary sources to their subscribers. Their service-level commitments are on the order of microseconds, required so that all subscribers receive the same information at the same time. In addition, Selerity has to manage subscription entitlements to its customers to ensure they are getting what they paid for. Selerity's entitlement application needs to make those decisions and dispatch the data in near real time. The challenge Selerity faces in meeting all of those competing goals is in maintaining low latency and traffic separation.

Selerity satisfied those requirements using a convoluted set of VLANs and high-end firewalls to forward traffic to the proper locations, or by using an application-level process to make the forwarding decisions. In either case, the solution was complex, inflexible and expensive. Adding a new subscription to a customer meant making a number of changes to networking equipment, which took time and was error-prone.

Using OpenFlow on NEC's Programmable Flow Controller, Selerity was able to move the forwarding decision off the servers and firewall/switch layer into an OpenFlow-controlled network. Using flow rules defined once on the Programmable Flow Controller, the UDP packets coming from Selerity's servers are rewritten, added to a multicast group and forwarded to the destination ports corresponding with individual customers in a few micro-seconds. Selerity ensures that the correct data goes only to intended customers and that all of the customers receive the data at the same time. Selerity was also able to easily add more redundancy to its delivery network since an OpenFlow network isn't hobbled by Ethernet constraints like having a loop-free network.

Selerity's application and SLA requirements are unique to the financial industry, but many enterprises have similar demands that could be addressed using an OpenFlow-managed network.

IBM and NEC also described unnamed customers using OpenFlow to solve common issues such as forwarding network traffic to multiple analysis devices and forwarding traffic to load balancers. Companies like Anue Systems, Gigamon and NetOptics offer in-line network taps that can combine many network connections into a single output or split a single input into many outputs, either replicating all frames across all output ports or slicing the output stream based on data in the frame like addresses and port numbers. These taps work well but are expensive and require that they sit in-line with the monitored link. The security customer connected taps and switch span ports to an IBM G8264 OpenFlow switch, ran the traffic though a deep packet inspection engine and then forwarded the flows to one or more analysis tools. The monitoring is much more flexible than a fixed tap.

More vendors are hopping on the OpenFlow bandwagon, including networking giants Cisco and HP. Juniper Networks added OpenFlow to its Junos SDK in 2011, while OpenFlow controller vendor Big Switch introduced an open source OpenFlow controller early this year. We will continue to see interesting use cases of OpenFlow in production environments.

Learn more about OpenFlow vs. Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

HTML5 is the new "it" protocol on the Internet. Among other things, it is an alternative to Adobe's Flash for displaying content through a Web browser. No less an industry authority than the late Steve Jobs declared in 2010 that browsers on Apple devices such as the iPad would support HTML5 and not Flash. But as HTML5 gains wider adoption some of its security flaws are beginning to get noticed, including the WebSocket specification that renders Web pages more quickly than does Flash.

"Anything new comes with some new security concerns," said Joe Bulman, systems architect for Wedge Networks, a network security company specializing in what it calls "deep content inspection" of traffic on Web networks.

HTML5 security issues have drawn the attention of the European Network and Information Security Agency (ENISA), which studied thirteen HTML5 specifications, defined by the World Wide Web Consortium (W3C), and identified fifty one security threats.

A recent alert from security vendor Sophos stated HTML5 provides far more access to the computer's resources than its predecessor, offering capabilities like location awareness, local data storage, graphics rendering and system information queries, which are built in and quite powerful. However, the alert cautions that while the enhancements are great, "they radically change the attack model for the browser. We always hope new technologies can close old avenues of attack. Unfortunately, they can also present new opportunities for cybercriminals."

Bulman identified four main concerns. First is the problem of cross-origin resource sharing (CORS), in which a web server can allow its resources to be accessed by web page from a different domain. While useful in aggregating content from several sites, he said there is a risk that some content may be shared that shouldn't be. Second is the problem of click-jacking, in which malicious code is surreptitiously placed on a web page image behind a digital mask that makes an item appear to be safe and invites the user to click on it. Third, HTML5 has unique geolocation and privacy issues that need to be addressed, although he added that HTML5 standards bodies as well as browser vendors are addressing them.

In fact, to its credit, the HTML5 community is responsive and "transparent" in how it operates, he said. Also, HTML5 applications have more restricted access to system resources than with Flash while HTML5 protocol updates are delivered through browser updates, so they're more likely to be applied. All the major browser vendors are working on HTML5 security issues and the HTML5 community enjoys the support of the Internet's biggest brands, including Facebook, Google, PayPal and Bing, which means that use of HTML5 should be on a strong growth curve.The fourth potential flaw relates to one of the HTML5's best features. The WebSocket API enables two-way communication over one transmission control protocol (TCP) socket. The Websocket.org web site uses the example of a stock ticker Web application to explain how WebSocket works. In a traditional HTTP designed browser, in order to display the most current price for a stock, the browser constantly pings the web server for new information, a process called "polling." Because that wastes time and compute resources, WebSocket allows the web server to push the information out to the browser only when it has new information to share.

The feature, called asynchronous full duplex communication, drastically reduces the amount of unnecessary traffic between server and browser, said Bulman. In the example of the stock ticker app accessed by 10,000 end users in the experiment, the data traffic reduction ratio was 500:1.

The downside is that WebSocket disables a number of important network security tools. It takes over key network ports such as Port 80 that screen packets for any maladies and, in a WebSocket port, the packets lack the traditional headers that would be seen by a web application firewall to block suspicious packets. Reputation-based defenses also fail with WebSocket deployed.

Wedge Networks' solution to this dilemma is an approach it calls "deep content inspection," a feature, introduced in November 2011, of its WedgeOS operating system that powers its security appliances.

"We judge the content, the structure and the intent of the data in motion," said Hongwen Zhang, CEO of Wedge Networks.

Wedge offers a "unique architecture" to deliver high performance deep packet inspection, wrote Chenxi Wang, a Forrester analyst, in a report providing a market overview for the content security space for the third quarter of 2011.

"Using this deep content inspection engine, customers can conduct in-depth malware detection, DLP processing, and content classification at line speed," Wang noted.

But Wedge competes with a number of well known players in this space, including Cisco, Google, McAfee, Microsoft, Sophos and Symantec, among others, she said.

Learn more about Data Encryption by subscribing to Network Computing Pro Reports (free, registration required).

Mainstream network players and those chasing them are all out to erase the lines between wireless and wired networking. As the network edge gets redefined and the cloud makes its presence felt in LAN and WLAN spaces, announcements like Meraki's latest update are getting to be more commonplace, and exciting. With a number of interesting product updates to share, Meraki is starting 2012 with a bang.

As mentioned before in this blog, I am a single-site Meraki customer. Though my main wired and wireless networks are built on Cisco gear, last year I opted to run with Meraki in one of my overseas locations for a campus deployment that features site-to-site VPN back to our main campus, routing, and thirty-five access points in a framework that is all-Meraki except for the handful of Cisco edge switches that handle Layer 2 duties. The Meraki deployment has been rock-solid and reliable, but soon will be even better.

Meraki has just announced new hardware and features that bode well for existing and prospective customers, and for the industry in general as a sign of things to come. In my own little corner of the Meraki cloud-managed world, I manage wired and wireless networks via a common dashboard on the web. Though effective, I have found areas where Meraki could do better by their customers. One of these minor pain points is in managing my site-to-site VPN, as the current UI is pretty sparse on relevant information for this important function. Thankfully, the latest incarnation of the Meraki cloud-based management system rectifies this with two-click site-to-site VPN configuration and welcome details on each tunnel's latency and status.

Even bigger to me, no-extra-cost WAN acceleration has come to the Meraki MX series. Legacy customers like me who use the MX 50 or 70 will see modest gains in WAN acceleration after our free and automatic code upgrade, but customers who get in on the latest MX hardware series also get the benefit of increased processing, memory, and a 1 TB hard disk cache for what Meraki estimates to be "up to 197x improved" WAN transfer times. As enterprises like mine continue to globalize, squeezing the most from site-connecting over-the-Internet WAN links is of paramount importance. That you get WAN optimization as part of the MX purchase without additional licensing is huge.

Also part of the latest release, Meraki is introducing their new cloud-managed Layer 2/3 switches with Power over Ethernet. In my own current deployment, I can manage my Meraki MX appliances (routing, security, DHCP, traffic classification and control, guest access, etc) and wireless APs, but not my Cisco switches through my cloud-based dashboard. When I rolled out my environment, Meraki did not offer an edge switch. The new MS series switch comes in branch and campus network flavors, and other than not having redundant and field-replaceable fans and power supplies (hint to Meraki), seem to have good feature parity with the big expensive competitors and some nice trouble-shooting value adds not typically found in other switching products . The beauty here is that wired and wireless users alike are identified, classified, controlled, and supported through the same administrative dashboard, regardless of whether they use a patch cable or wireless adapter to connect.

Given that wireless networking is fast coming to equaling or even surpass Ethernet in terms of criticality for user access across different business networks, it's not surprising that vendors are moving into even deeper "whole solution managed under single pain of glass" waters. Meraki may not be the biggest fish in the networking pond, but I can speak first hand on their effectiveness at providing a turn-key, cloud-managed solution that makes managing a network easy (and in my case, it's a network on another continent that tightly integrates with my main network). I'm tickled that a good thing is getting even better with Meraki's latest announcements, and am hopeful that others in the networking space are working on similar strategies.

Gone should be the days of thinking of wired and wireless networking as unique spaces, and needing racks full of appliances to gain VPN and enterprise-class security capabilities. Meraki has proven that for the right environments, a tremendous amount can be done with minimal box requirements and that installation and management don't need a team of IT pros to accomplish. Here's hoping we see more of the same from the competition.

Disclaimer: I am a single-site Meraki customer.

Boys and girls, today's homework assignment is a thought experiment. I want you all to put yourselves in the shoes of the CxO team making a decision to move to private cloud. There is of course one catch; you may not factor in ROI. We're dropping ROI because it clouds the subject (bad pun intended.) Let's skip the why should I do this experiment; I'd of course default to 'Because I told you so.'

Let's work through this together; it may be a tough one. Many of us have been trained to make all IT-related decisions based on ROI. Some of this is self-induced, some may come from vendors with ROI spreadsheets utilizing amazing formulas, industry data and handfuls of pixie dust to show how much money you'll save over the next 3 years with widget X.15. For whatever reason, ROI is a big part of most IT-related decisions.

IT decisions weren't originally made this way; instead they were made based on the business value that would be gained from an IT system. IT was purchased based on how it would enable the business to increase profits, build better products, or better service its customers. That's really what the technology should be about.

The decision to move to private cloud should be based on the competitive advantage it can provide. If we can justify that private cloud can give us the ability to do something better, faster, or at lower cost than the competition we're halfway there. Let's take a look at gaining competitive advantage with private cloud.

Let's start with some example numbers for the time it takes to bring a new service online:

1 week - Design and validate a BOM (bill of materials)

1 week - Receive approvals and submit PO

2 weeks - Wait on required gear

1 week - Rack, stack, cable and configure

3 weeks - Build service, test and validate

2 months - Total time

This is just an example; some of these times may be laughably short or long depending on your organization. Using these example numbers you have a 2-month period between identifying a new service that will enable your business and having that service online. This doesn't take into account the rollout and training of the service once online. If you could cut that time in half would that provide competitive advantage?

By using a private cloud model for delivery of IT services, this process can be trimmed to 3 weeks (using the same example numbers.) The infrastructure would be in place, carved into flexible pools and the tools to automate deployment of the required subset would be available to IT staff, developers, or both. Through a self-service portal the first 4 steps above can take place in minutes.

Additionally, scale is simplified through standardized infrastructure components. Rather than deciding on which server, storage, or switch is required per project, pre-defined components are purchased and plugged into the resource pools as capacity is required. Is your network at capacity? Add a switch to the mesh. The hardware itself becomes nothing more than CPU, RAM, storage and I/O capacity for the delivery model you've built.

The flip side of the above model is removing old or under-performing services. When an application or service is removed from the cloud the resources are returned to the pools. In a legacy data center build, it is difficult to repurpose hardware when a service is no longer needed, and as such often doesn't happen. Scaling down occurs, and services are eventually retired. This model allows for seamless return of the underlying hardware resources to the cloud.

The last piece of competitive advantage is of course cost. Any reduction in cost without a reduction in revenue will inherently increase profits. This is why the ROI model persists so strongly. Private cloud can, and does in many cases, reduce costs but this depends on how mature your IT organization is at the onset. Much of private cloud's cost reduction comes from the virtualization of the underlying hardware; automation and orchestration are not required for that, but help provide the business value shown here.

While cost is always a factor, and quite important, it should not be the first or most important criteria. Cost is more easily modeled and budgeted for once the end goal has been defined. If you begin with an attempt to show ROI you end up with models of very subjective soft costs showing savings over time. These are not solid foundations for such a large change. Define the advantages private cloud can provide your organization, decide whether they provide enough value to embark on the journey, and then model the costs into your budget.

Faced with rapid growth and increases in the amount and complexity of data and its IT operations, RJ Lee Group went looking for a way to simplify its computing infrastructure. The company ended up selecting Spiceworks as an alternative to adding staff or spending a lot of money on network and system management software.

"By moving to Spiceworks, we were able to manage our infrastructure more effectively without increasing our expenses," says Justin Davison, senior systems engineer at RJ Lee Group. In business since 1980, the company is an industrial forensics laboratory offering specialized materials characterization, forensic engineering, and information management services. For instance, it helped the United States Environmental Protection Agency (EPA) develop a method to analyze asbestos.

The company's research-based services chew up a lot of IT resources: they have 30 Terabytes of data stored on a Storage Area Network (SAN), and servers primarily running Microsoft's Windows operating system. The 300-person operation works mainly in Monroeville, PA, but has spread its wings to more than half a dozen satellite locations, including New York City and Quebec City.

The small IT staff oversees the dispersed computing infrastructure. Traditionally, this group relied on each component's (server, router) inherent management functions to ensure that its applications were up, and its network connections were functioning well.

By 2008 that approach was proving to be inadequate. "Our applications and IT infrastructure were growing and becoming more dispersed," says Davison. Consequently, tasks such as determining what might be causing a slowdown on a network link, were taking more time to complete. "We needed a tool that would automate some of our routine administrative tasks," he says.

There was no shortage of options available, but the company wanted to keeps its expenses as low as possible. So Davison started searching on the Web for free management tools and Spiceworks emerged as an intriguing option because of its all-encompassing nature. Although it began life in 2006 as a basic network inventory and scan tool, the offering has grown into a full-fledged help desk and IT support community with more than 1.5 million users. To stand out from the competition, it uses an advertising-based model: customers do not pay for the product but are exposed to Google-like advertisements.

"Spiceworks is like a 'Swiss Army knife' for system and network management," notes Davison. The product includes a series of modules that can be used autonomously or in conjunction with one another.

After making the decision to go with Spiceworks in the spring of 2008, RJ Lee had the product up and running in a few weeks. "Spiceworks includes an intuitive user interface, so the initial configuration was straightforward," he says.Once the tool was installed, the company streamlined a few of its management functions. The product's core management features automatically track configurations and report any changes, so technicians no longer had to manually enter that information. A network monitoring feature correlated network activity so the staff had more insight into any performance issues.

While some companies may view the ads as annoying, Davison has found them helpful. His company has purchased more than half a dozen products after seeing various ads.

Another benefit from the freeware is its substantial use of social networking to encourage users to interact with one another. "The Spiceworks community gives me a million people I can reach out to and ask for and share advice," says Davison. The community has become an ad hoc extension to the firm's IT department, offering advice that has remedied a handful of problems that the staff could not figure out on its own.

In the spring of 2010, RJ Lee augmented its use of the system through Spiceworks' Reach program, which enables cloud services vendors to create custom plug-ins so customers can add, manage, and monitor cloud services within its software. Hundreds of management plug-ins are available from vendors such as HP, LogMeIn, Rackspace, and Symantec. "With Spiceworks, we don't have to work with different Web-based portals to monitor and provision any of our cloud resources," he says.

Next on the agenda is to create a portal so employees can submit trouble requests. Spiceworks IT Help Desk Portal's trouble ticket module organizes and prioritizes tickets based on customized criteria, such as due dates. A project management function will enable RJ Lee to delegate, prioritize, and track time spent on various initiatives.

To date, the management tool has been a good fit for the company. One potential concern is the possible lack of the scalability and features mid-size and large companies desire from their management tool. Also, as a relatively new player in the management space, Spiceworks may encounter skepticism about its long term viability, especially since it has a non-traditional business model.

However, RJ Lee has no qualms about the vendor or its product. "Companies do not need to be scared off from free software," concludes Davison. "We have found one that meets our needs."

Learn more about IT Pro Ranking: Data Center Networking by subscribing to Network Computing Pro Reports (free, registration required).